quote:

---

Originally posted by Ceth Eslick:
I set up my system as Kirill suggested. However, my VPN clients are having trouble accessing certain subnets. My ISA server is directly connected to three subnets and the internet. Two of them are internal networks, and the third is a DMZ. Across the DMZ are 4 more subnets by way of building-to-building wireless bridges. Each building has its own router seperating the DMZ from their own internal LANs.

From the VPN clients, I can access the two subnets that are directly connected to the ISA server, but I can't access the subnets in the other buildings. Tracerts to those subnets go nowhere.

Any ideas?

---

quote:

---

Originally posted by Kirill:
In my scenario DMZ is used for VPN traffic only, nothing else will pass through. As soon as a wireless client gets connected through VPN, it "jumps the subnets", providing a seamless operation on the network.
You will need something else for your configuration...[/QB]

---

quote:

---

Originally posted by tpagel:
Tom,

well, a normal packet filter will not help... I talked with MS PSS. They showed me how to setup a packet filter for the DHCP broadcast. You don't have to bind the filter to the NIC's IP address but to IP 0.0.0.0. So a packet filter for 67 local 68 remote in both directions did the trick...

They also told me that they might build a KB article for that...

Thomas

---

quote:

---

Originally posted by Todd G:
I currently use ISA for my DHCP server. If I move my wireless clients to a DMZ, will I be able to use the ISA machine for DHCP?

---

quote:

---

Originally posted by Kirill:

quote:

---

Originally posted by Ceth Eslick:
I set up my system as Kirill suggested. However, my VPN clients are having trouble accessing certain subnets. My ISA server is directly connected to three subnets and the internet. Two of them are internal networks, and the third is a DMZ. Across the DMZ are 4 more subnets by way of building-to-building wireless bridges. Each building has its own router seperating the DMZ from their own internal LANs.

From the VPN clients, I can access the two subnets that are directly connected to the ISA server, but I can't access the subnets in the other buildings. Tracerts to those subnets go nowhere.

Any ideas?

---

No surprises here. It works as planned. In my scenario DMZ is used for VPN traffic only, nothing else will pass through. As soon as a wireless client gets connected through VPN, it "jumps the subnets", providing a seamless operation on the network.
You will need something else for your configuration...

---

quote:

---

Originally posted by Ceth Eslick:

quote:

---

Originally posted by Kirill:
In my scenario DMZ is used for VPN traffic only, nothing else will pass through. As soon as a wireless client gets connected through VPN, it "jumps the subnets", providing a seamless operation on the network.
You will need something else for your configuration...

---

Internal, wired clients have no trouble reaching these subnets. Only the VPN clients are having problems. After ISA Server receives and decrypts VPN Client packets, shouldn't it forward them to their Non-VPN destinations regardless of whether the destination is on a local segment or on the other side of a router?

For example, this works:
VPN Client > ISA Server > Destination

But this doesn't:
VPN Client > ISA Server > Router > Destination

My hardware is WPA compliant, so it isn't a pressing urgency, but I'm still curious as to why this isn't working.[/QB]

---

quote:

---

Originally posted by Kirill:
Here is a little guide on what I did. I used TomÆs guide as an idea and did something different

Objectives: All wireless clients are domain members and should have the same type of access as if they were connecting from the inside of the network.

Step 1: Installed Windows 2003 server with 3 NIC cards with the following IPs: x.x.x.1 (External), y.y.y.1 (Internal), z.z.z.1 (DMZ).
Step 2: Installed ISA and included the internal network y.y.y.y to the LAT. DMZ was NOT included to the LAT.
Step 3: Used a VPN wizard ôAllow VPN client connectionsö on ISA.
Step 4: Tweaking the filters the wizard had created: Disabled all L2TP filters (wanted to use PPTP only). In PPTP filters changed from ôDefault IP addressö to the ôUse ISA serverÆs external IP addressö to ôz.z.z.1ö (DMZ).
Step 5: Created a security group called ôWireless usersö and included the users I wanted to have wireless access to this group.
Step 6: RRAS tweaking: In RRAS changed the ôPortsö so only WAN miniport (PPTP) is configured for remote access. In server properties ôSecurityö tab ôAuthentication methodsö enabled only MS-CHAP v2. Now the most important part: IP tab: Static address pool û added the set of addresses that is part of the internal network y.y.y.y; ôAdapterö-selected the one I used for DMZ. Created a remote access policy called ôWireless accessö to grant security group ôWireless usersö remote access.
Step 7: Created a VPN connectoid on a client computer to connect to the IP z.z.z.1 (DMZ) and selected ôAutomatically use my Windows log on name and passwordö in ôSecurityö. Selected PPTP. Instructed the users to log on ôUsing dial-up connectionö and select ôVPNö.

Now what have I achieved by doing it? There is only one filter on the ISA that allows the traffic from the DMZ û PPTP. No other traffic is let through. As soon as the user logs on, he gets an IP that is part of the internal network, so everything looks like heÆs connected from the inside. Domain resources are available, firewall client and web proxy work also.
No other tweaking required.

I hope it helps

---

I'm a newbie with ISA 2004 and had a few questions - I have a 2003 server with 3 nics and ISA 2004 installed. Could someone post instructions that are a bit more detailed on how to implement the configuration described above (and any details on the policy changes described in other replies)? Sorry for the ignorance but I'm still working to figure out ISA04.

Much thanks...

[ June 16, 2004, 06:37 PM: Message edited by: Michael L ]

(in reply to tshinder)